Apple flaw allows MacOS High Sierra logins without passwords

Major Apple security flaw grants admin access on macOS High Sierra without password

A trivial-to-exploit flaw in macOS High Sierra, aka macOS 10.13, allows users to gain admin rights, or log in as root, without a password.

After clicking unlock several times, it should eventually open up, no passwords necessary.

The bug was discovered by Lemi Orhan Ergin, whose Twitter profile shows him as a Turkish software developer. All you need to do is enter "root" into the username field, leave the password blank, and hit Enter a few times. The root account for your device is a superuser, with the ability to read and write files all across the system.

We can confirm the bug is present in macOS 10.13.1 and for anyone with a Mac in a public office space, you are urged to fix this by yourself, immediately. Then, click the "Join" button beside "Network Account Server" and a new panel will pop up. They can change any users' password, allowing them to log in and access things like email and browser passwords.

Click the lock in the corner.

From the account, you'll able to see everything on the Mac.

A user reported the issue earlier today, but initially it wasn't specified which version of Mac OS High Sierra was affected, what machines, or anything other than what the problem was. MacOS users may want to mitigate the issue themselves by assigning a root password or disabling the root account in System Preferences - User Groups on your Mac device.

CNET independently confirmed this security flaw exists and reached out to Apple about the issue. Edward Snowden, a key voice in the information security community after being the center of many years of National Security Agency leaks, commented on the disclosure. Then from the menu bar at the top of the screen, click on the "Edit" menu and choose "Enable Root User".

Related:

Comments

Other news